ProcessCreation Event

Fires when a process is being created.


virtual int FireProcessCreation(CBProcessProcessCreationEventParams *e);
typedef struct {
int ProcessId;
int ParentProcessId;
int CreatingProcessId;
int CreatingThreadId;
const char *ProcessName;
const char *ImageFileName;
int FileOpenNameAvailable;
const char *CommandLine;
int ResultCode; int reserved; } CBProcessProcessCreationEventParams;
virtual INT FireProcessCreation(CBProcessProcessCreationEventParams *e);
typedef struct {
INT ProcessId;
INT ParentProcessId;
INT CreatingProcessId;
INT CreatingThreadId;
LPCWSTR ProcessName;
LPCWSTR ImageFileName;
BOOL FileOpenNameAvailable;
LPCWSTR CommandLine;
INT ResultCode; INT reserved; } CBProcessProcessCreationEventParams;


This event fires when a process is being created, after its first thread is created but before it begins running.

Applications may use this event to cancel the process creation by returning an appropriate error code (e.g., ACCESS_DENIED) via ResultCode.

The ProcessId parameter reflects the Id of the process being created.

The ParentProcessId parameter reflects the Id of the new process's parent process, from which it may inherit certain resources (handles, shared memory, etc.).

The CreatingProcessId parameter reflects the Id of the process that created the new process (which is not always the same as its parent process).

The CreatingThreadId parameter reflects the Id of the thread that created the new process.

The ProcessName parameter reflects the name of the new process. This parameter's value is the same one that the GetProcessName method would return for ProcessId.

The ImageFileName parameter reflects the name of the new process's executable file, as either a partial or a fully-qualified file path.

The FileOpenNameAvailable parameter indicates whether the ImageFileName parameter's contains a fully-qualified file path (true) or a partial one (false).

The CommandLine parameter reflects the command line used to start the new process.

The ResultCode parameter will always be 0 when the event is fired. If the event cannot be handled in a "successful" manner for some reason (e.g., a resource isn't available, security checks failed, etc.), set it to a non-zero value to report an appropriate error. Please refer to the Error Reporting and Handling topic for more information.

This event is fired synchronously; please refer to the Event Types topic for more information.

Copyright (c) 2020 Callback Technologies, Inc. - All rights reserved.
CBFS Filter 2020 C++ Edition - Version 20.0 [Build 7543]